Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add OutOfProcessSystemDnsResolutionEnabled enterprise policy
Linux and Android are launching the OutOfProcessSystemDnsResolution feature. This will move system DNS resolution from the network service to the browser. Since changes like this have often resulted in problems with third party software injecting code into our processes, this adds a policy so enterprises can disable this feature. Change-Id: Idcc4265dede4788d6d57108c67fdfac58d7e4901 Bug: 1312224, 1320192 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4179001 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Victor-Gabriel Savu <vsavu@google.com> Commit-Queue: Matthew Denton <mpdenton@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/main@{#1096547}
- Loading branch information
Showing
15 changed files
with
202 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
chrome/browser/policy/test/out_of_process_system_dns_resolution_browsertest.cc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
// Copyright 2023 The Chromium Authors | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#include "base/values.h" | ||
#include "build/build_config.h" | ||
#include "chrome/browser/chrome_content_browser_client.h" | ||
#include "chrome/browser/policy/policy_test_utils.h" | ||
#include "components/policy/core/common/mock_configuration_policy_provider.h" | ||
#include "components/policy/core/common/policy_map.h" | ||
#include "components/policy/core/common/policy_types.h" | ||
#include "components/policy/policy_constants.h" | ||
#include "content/public/browser/content_browser_client.h" | ||
#include "content/public/test/browser_test.h" | ||
#include "testing/gtest/include/gtest/gtest.h" | ||
|
||
namespace policy { | ||
|
||
class OutOfProcessSystemDnsResolutionEnabledTest | ||
: public PolicyTest, | ||
public testing::WithParamInterface<policy::PolicyTest::BooleanPolicy> { | ||
public: | ||
void SetUpInProcessBrowserTestFixture() override { | ||
PolicyTest::SetUpInProcessBrowserTestFixture(); | ||
if (GetParam() != BooleanPolicy::kNotConfigured) { | ||
PolicyMap policies; | ||
policies.Set(key::kOutOfProcessSystemDnsResolutionEnabled, | ||
POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER, | ||
POLICY_SOURCE_CLOUD, | ||
base::Value(GetParam() == BooleanPolicy::kTrue), nullptr); | ||
provider_.UpdateChromePolicy(policies); | ||
} | ||
} | ||
}; | ||
|
||
IN_PROC_BROWSER_TEST_P(OutOfProcessSystemDnsResolutionEnabledTest, | ||
IsRespected) { | ||
// Policy always overrides the default. | ||
bool expected_value; | ||
switch (GetParam()) { | ||
case PolicyTest::BooleanPolicy::kTrue: | ||
expected_value = true; | ||
break; | ||
case PolicyTest::BooleanPolicy::kFalse: | ||
expected_value = false; | ||
break; | ||
case PolicyTest::BooleanPolicy::kNotConfigured: | ||
content::ContentBrowserClient content_client; | ||
expected_value = | ||
content_client.ShouldRunOutOfProcessSystemDnsResolution(); | ||
break; | ||
} | ||
ChromeContentBrowserClient client; | ||
EXPECT_EQ(expected_value, client.ShouldRunOutOfProcessSystemDnsResolution()); | ||
} | ||
|
||
INSTANTIATE_TEST_SUITE_P(Enabled, | ||
OutOfProcessSystemDnsResolutionEnabledTest, | ||
::testing::Values(PolicyTest::BooleanPolicy::kTrue)); | ||
|
||
INSTANTIATE_TEST_SUITE_P(Disabled, | ||
OutOfProcessSystemDnsResolutionEnabledTest, | ||
::testing::Values(PolicyTest::BooleanPolicy::kFalse)); | ||
|
||
INSTANTIATE_TEST_SUITE_P( | ||
NotSet, | ||
OutOfProcessSystemDnsResolutionEnabledTest, | ||
::testing::Values(PolicyTest::BooleanPolicy::kNotConfigured)); | ||
|
||
} // namespace policy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
...esources/templates/policy_definitions/Network/OutOfProcessSystemDnsResolutionEnabled.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
owners: | ||
- mpdenton@google.com | ||
- file://services/network/OWNERS | ||
caption: Enable system DNS resolution outside of the network service | ||
desc: |- | ||
Setting this policy to true causes system DNS resolution (getaddrinfo()) to possibly run outside of the network process, depending on system configuration and feature flags. | ||
Setting this policy to false causes system DNS resolution (getaddrinfo()) to run in the network process rather than the browser process. This may force the network service sandbox to be disabled, degrading the security of <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. | ||
If this policy is not set, system DNS resolution may run in the network service, outside of the network service, or partially inside and partially outside, depending on system configuration and feature flags. | ||
supported_on: | ||
- chrome.linux:111- | ||
- android:111- | ||
features: | ||
dynamic_refresh: false | ||
per_profile: false | ||
type: main | ||
schema: | ||
type: boolean | ||
items: | ||
- caption: System DNS resolution may be run in or out of the network process depending on system configuration and feature flags. | ||
value: true | ||
- caption: System DNS resolution will be run in the network process. | ||
value: false | ||
- caption: System DNS resolution may be run in or out of the network process, or partially in and partially out of the network process, depending on system configuration and feature flags. | ||
value: null | ||
default: null | ||
example_value: false | ||
tags: | ||
- system-security |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters